Avira Support Forum

Please instruct me how to get rid of this nasty virus.

Hi AeonFlux,

Could you please post here the detection log and a report file of a complete system scan?

Marco

Hi,

How and where do I get the detection log? I have 36 files infected but, cannot be removed.

I am trying to copy and paste the file but, it's too long?

Avira Free Antivirus
Report file date: Tuesday, May 01, 2012 21:08

Scanning for 3729615 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted
Username : SYSTEM
Computer name : KINGTUTT1964-PC

Version information:
BUILD.DAT : 12.0.0.898 41963 Bytes 1/31/2012 14:50:00
AVSCAN.EXE : 12.1.0.20 492496 Bytes 1/31/2012 15:56:54
AVSCAN.DLL : 12.1.0.18 54224 Bytes 1/31/2012 15:57:27
LUKE.DLL : 12.1.0.19 68304 Bytes 1/31/2012 15:57:02
AVSCPLR.DLL : 12.1.0.22 100048 Bytes 1/31/2012 15:56:54
AVREG.DLL : 12.1.0.36 229128 Bytes 5/2/2012 04:02:28
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 15:57:15
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 15:57:20
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 04:01:34
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 04:01:49
VBASE005.VDF : 7.11.26.45 2048 Bytes 3/28/2012 04:01:50
VBASE006.VDF : 7.11.26.46 2048 Bytes 3/28/2012 04:01:50
VBASE007.VDF : 7.11.26.47 2048 Bytes 3/28/2012 04:01:51
VBASE008.VDF : 7.11.26.48 2048 Bytes 3/28/2012 04:01:51
VBASE009.VDF : 7.11.26.49 2048 Bytes 3/28/2012 04:01:52
VBASE010.VDF : 7.11.26.50 2048 Bytes 3/28/2012 04:01:52
VBASE011.VDF : 7.11.26.51 2048 Bytes 3/28/2012 04:01:52
VBASE012.VDF : 7.11.26.52 2048 Bytes 3/28/2012 04:01:53
VBASE013.VDF : 7.11.26.53 2048 Bytes 3/28/2012 04:01:53
VBASE014.VDF : 7.11.26.107 221696 Bytes 3/30/2012 04:01:54
VBASE015.VDF : 7.11.26.179 224768 Bytes 4/2/2012 04:01:55
VBASE016.VDF : 7.11.26.241 142336 Bytes 4/4/2012 04:01:56
VBASE017.VDF : 7.11.27.41 247808 Bytes 4/8/2012 04:01:57
VBASE018.VDF : 7.11.27.107 161280 Bytes 4/12/2012 04:01:58
VBASE019.VDF : 7.11.27.159 148992 Bytes 4/13/2012 04:01:59
VBASE020.VDF : 7.11.27.201 207360 Bytes 4/17/2012 04:02:00
VBASE021.VDF : 7.11.28.3 237568 Bytes 4/19/2012 04:02:01
VBASE022.VDF : 7.11.28.49 193536 Bytes 4/20/2012 04:02:02
VBASE023.VDF : 7.11.28.99 195072 Bytes 4/23/2012 04:02:03
VBASE024.VDF : 7.11.28.133 247808 Bytes 4/24/2012 04:02:04
VBASE025.VDF : 7.11.28.183 186880 Bytes 4/26/2012 04:02:05
VBASE026.VDF : 7.11.28.235 166400 Bytes 4/30/2012 04:02:07
VBASE027.VDF : 7.11.28.236 2048 Bytes 4/30/2012 04:02:07
VBASE028.VDF : 7.11.28.237 2048 Bytes 4/30/2012 04:02:07
VBASE029.VDF : 7.11.28.238 2048 Bytes 4/30/2012 04:02:08
VBASE030.VDF : 7.11.28.239 2048 Bytes 4/30/2012 04:02:08
VBASE031.VDF : 7.11.29.4 94208 Bytes 5/2/2012 04:02:09
Engineversion : 8.2.10.58
AEVDF.DLL : 8.1.2.2 106868 Bytes 1/31/2012 15:56:42
AESCRIPT.DLL : 8.1.4.18 455034 Bytes 5/2/2012 04:02:25
AESCN.DLL : 8.1.8.2 131444 Bytes 5/2/2012 04:02:25
AESBX.DLL : 8.2.5.5 606579 Bytes 5/2/2012 04:02:27
AERDL.DLL : 8.1.9.15 639348 Bytes 1/31/2012 15:56:42
AEPACK.DLL : 8.2.16.9 807287 Bytes 5/2/2012 04:02:24
AEOFFICE.DLL : 8.1.2.28 201082 Bytes 5/2/2012 04:02:22
AEHEUR.DLL : 8.1.4.21 4682102 Bytes 5/2/2012 04:02:21
AEHELP.DLL : 8.1.20.0 254326 Bytes 5/2/2012 04:02:13
AEGEN.DLL : 8.1.5.28 422260 Bytes 5/2/2012 04:02:12
AEEXP.DLL : 8.1.0.33 82293 Bytes 5/2/2012 04:02:27
AEEMU.DLL : 8.1.3.0 393589 Bytes 1/31/2012 15:56:38
AECORE.DLL : 8.1.25.6 201078 Bytes 5/2/2012 04:02:11
AEBB.DLL : 8.1.1.0 53618 Bytes 1/31/2012 15:56:38
AVWINLL.DLL : 12.1.0.17 27344 Bytes 1/31/2012 15:56:55
AVPREF.DLL : 12.1.0.17 51920 Bytes 1/31/2012 15:56:53
AVREP.DLL : 12.1.0.17 179408 Bytes 1/31/2012 15:56:53
AVARKT.DLL : 12.1.0.23 209360 Bytes 1/31/2012 15:56:49
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 1/31/2012 15:56:50
SQLITE3.DLL : 3.7.0.0 398288 Bytes 1/31/2012 15:57:08
AVSMTP.DLL : 12.1.0.17 62928 Bytes 1/31/2012 15:56:54
NETNT.DLL : 12.1.0.17 17104 Bytes 1/31/2012 15:57:04
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 1/31/2012 15:57:30
RCTEXT.DLL : 12.1.1.16 96208 Bytes 1/31/2012 15:57:30

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\ProgramData\Avira\AntiVir Desktop\PROFILES\AVSCAN-20120501-210609-71BECFF8.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Tuesday, May 01, 2012 21:08

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\AppDomains\Communications.CCC.exe.CCC.4024
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\AppDomains\Communications.MOM.exe.MOM.3276
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Processes\3276
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Processes\4024
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Services\AEM\ChannelUrl
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Services\AEM\ChannelUrl
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Services\AEM\ChannelUrl
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Services\AEM\ChannelUrl
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Services\AEM\ChannelUrl
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Services\AEM\ChannelUrl
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Settings\Runtime\Runtime Graphics Caste Initialize LoadDEM
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Settings\Runtime\Runtime Graphics Caste Initialize LoadDEM ProcTime
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Settings\Runtime\Runtime Graphics Caste Initialize Finishing ProcTime
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Settings\Runtime\Runtime Profile Mgr
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Settings\Runtime\RuntimePublish
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2369695206-1608172560-2618111960-1000\Software\ATI\ACE\Settings\Runtime\RuntimeStartUp
[NOTE] The registry entry is invisible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.
Hidden thread
[NOTE] A system thread is not visible.

The scan of running processes will be started
Scan process 'SymcPCCULaunchSvc.exe' - '36' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '22' Module(s) have been scanned
Scan process 'avscan.exe' - '92' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\syswow64\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'avgnt.exe' - '68' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '70' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\syswow64\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'jusched.exe' - '25' Module(s) have been scanned
Scan process 'TWebCamera.exe' - '60' Module(s) have been scanned
Scan process 'KeNotify.exe' - '24' Module(s) have been scanned
Scan process 'ccSvcHst.exe' - '52' Module(s) have been scanned
Scan process 'PsiService_2.exe' - '22' Module(s) have been scanned
Scan process 'ccSvcHst.exe' - '81' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\syswow64\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'AppleMobileDeviceService.exe' - '68' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\syswow64\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'avguard.exe' - '81' Module(s) have been scanned
Scan process 'sched.exe' - '41' Module(s) have been scanned

Starting to scan executable files (registry).
C:\Windows\Sysnative\PXRDDriver.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan

The registry was scanned ( '1282' files ).

Starting the file scan:

Begin scan in 'C:\' <TI105955W0C>
C:\ProgramData\Microsoft\Windows\DRM\AD4F.tmp.dat
[DETECTION] Is the TR/Alureon.FO.8 Trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0000.dta
[DETECTION] Is the TR/Offend.kdv.599647 Trojan
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0002.dta
[DETECTION] Is the TR/Barys.537.1 Trojan
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0003.dta
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0007.dta
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0008.dta
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\zaea0000\svc0000\tsk0000.dta
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Users\Kingtutt1964\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\4163e332-474208ff
[0] Archive type: ZIP
--> Loo.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544.BF exploit
--> ggs.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544.A.34 exploit
C:\Users\Kingtutt1964\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\fe661f5-7e7b383f
[0] Archive type: ZIP
--> Efira.class
[DETECTION] Contains recognition pattern of the EXP/2010-0840.CG.2 exploit
--> Sefas.class
[DETECTION] Contains recognition pattern of the JAVA/Inject.G Java virus
C:\Windows\assembly\GAC_32\Desktop.ini
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Windows\assembly\GAC_64\Desktop.ini
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Windows\assembly\temp\U\80000032.@
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Windows\System32\consrv.dll
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Windows\System32\PXRDDriver.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Windows\System32\samss.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\kpewatq.dll
[DETECTION] Is the TR/Kazy.iws Trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\70358be2-563e1eb4
[0] Archive type: ZIP
--> ya/yb.class
[DETECTION] Contains recognition pattern of the EXP/JAVA.Ternub.Gen exploit
--> ya/yc.class
[DETECTION] Contains recognition pattern of the EXP/11-3544.FE exploit
--> ya/ya.class
[DETECTION] Contains recognition pattern of the EXP/JAVA.Ternub.Gen exploit
--> ya/M.class
[DETECTION] Contains recognition pattern of the EXP/JAVA.Ternub.Gen exploit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\278cad7f-175dc74a
[0] Archive type: ZIP
--> ya/yb.class
[DETECTION] Contains recognition pattern of the EXP/JAVA.Ternub.Gen exploit
--> ya/yc.class
[DETECTION] Contains recognition pattern of the EXP/11-3544.FE exploit
--> ya/ya.class
[DETECTION] Contains recognition pattern of the EXP/JAVA.Ternub.Gen exploit
--> ya/M.class
[DETECTION] Contains recognition pattern of the EXP/JAVA.Ternub.Gen exploit
C:\Windows\temp\ybwudd\setup.exe
[DETECTION] Is the TR/TDss.irpn Trojan

Beginning disinfection:
C:\Windows\temp\ybwudd\setup.exe
[DETECTION] Is the TR/TDss.irpn Trojan
[NOTE] The file was moved to the quarantine directory under the name '556c684e.qua'.
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\278cad7f-175dc74a
[DETECTION] Contains recognition pattern of the EXP/JAVA.Ternub.Gen exploit
[NOTE] The file was moved to the quarantine directory under the name '5237463b.qua'.
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\70358be2-563e1eb4
[DETECTION] Contains recognition pattern of the EXP/JAVA.Ternub.Gen exploit
[NOTE] The file was moved to the quarantine directory under the name '00631cd4.qua'.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\kpewatq.dll
[DETECTION] Is the TR/Kazy.iws Trojan
[NOTE] The file was moved to the quarantine directory under the name '798252d6.qua'.
C:\Windows\System32\samss.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '3c0e7ff9.qua'.
C:\Windows\System32\PXRDDriver.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5cea4da1.qua'.
C:\Windows\System32\consrv.dll
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '0fae61dc.qua'.
C:\Windows\assembly\temp\U\80000032.@
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6c682053.qua'.
C:\Windows\assembly\GAC_64\Desktop.ini
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file could not be deleted!
[NOTE] For the final repair, a restart of the computer is instigated.
[NOTE] The file is scheduled for deleting after reboot.
[NOTE] For the final repair, a restart of the computer is instigated.
C:\Windows\assembly\GAC_32\Desktop.ini
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] The file could not be deleted!
[NOTE] For the final repair, a restart of the computer is instigated.
[NOTE] The file is scheduled for deleting after reboot.
[NOTE] For the final repair, a restart of the computer is instigated.
C:\Users\Kingtutt1964\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\fe661f5-7e7b383f
[DETECTION] Contains recognition pattern of the EXP/2010-0840.CG.2 exploit
[NOTE] The file was moved to the quarantine directory under the name '34001901.qua'.
C:\Users\Kingtutt1964\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\4163e332-474208ff
[DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544.BF exploit
[NOTE] The file was moved to the quarantine directory under the name '45b920c0.qua'.
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\zaea0000\svc0000\tsk0000.dta
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '547e1045.qua'.
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0008.dta
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '11576907.qua'.
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0007.dta
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '185c6dab.qua'.
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0003.dta
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '401d74c2.qua'.
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0002.dta
[DETECTION] Is the TR/Barys.537.1 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6ce90d0e.qua'.
C:\TDSSKiller_Quarantine\13.04.2012_20.09.34\mbr0000\tdlfs0000\tsk0000.dta
[DETECTION] Is the TR/Offend.kdv.599647 Trojan
[NOTE] The file was moved to the quarantine directory under the name '52176dd4.qua'.
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '311c46a3.qua'.
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '17c906a8.qua'.
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '255d7d0d.qua'.
C:\ProgramData\Microsoft\Windows\DRM\AD4F.tmp.dat
[DETECTION] Is the TR/Alureon.FO.8 Trojan
[NOTE] The file was moved to the quarantine directory under the name '30df5610.qua'.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIODRV\Parameters> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SIODRV\Parameters> was removed successfully.
C:\Windows\Sysnative\PXRDDriver.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
[NOTE] For the final repair, a restart of the computer is instigated.
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIODRV\Parameters\ServiceDll> was successfully repaired.
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SIODRV\Parameters\ServiceDll> was successfully repaired.


End of the scan: Tuesday, May 01, 2012 22:33
Used time: 1:22:18 Hour(s)

The scan has been done completely.

26409 Scanned directories
332050 Files were scanned
33 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
20 Files were moved to quarantine
0 Files were renamed
4 Files cannot be scanned
332013 Files not concerned
2025 Archives were scanned
7 Warnings
99 Notes
562673 Objects were scanned with rootkit scan
81 Hidden objects were found

I have copied and pasted the log report into 3 parts since it would not fit into one.

Hi AeonFlux,

Did you run ComboFix by yourself? Did someone help you?

Marco

I tried to use it from searching other boards but it didn't remove the virus. No one helped me.

Hi AeonFlux,

What is the current situation? Also, please perform another scan with your Avira and post here the report file.

Marco

It is infected with the TR/Atraps.gen2 virus. You can't see that??

Hi AeonFlux,

You ran TDSSKiller, ComboFix and most probably some other tools by yourself, which is a problem and the reason why the assistance is denied 'cause no one knows exactly what the situation was, what was changed, removed and the source of the infection. Your Avira scan was performed 7 days ago and most of the files belong to the quarantine of the tools that you used at your own risk. So, please perform another complete system scan with your Avira and post the report file in your next reply.

Marco

I will perform another scan now. I keep getting the popup message every 5 minutes about viruses and the TR/Atraps.gen2. I am also being redirected with Google search.

Avira Free Antivirus
Report file date: Tuesday, May 08, 2012 08:20

Scanning for 3758205 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available.

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 Home Premium
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted
Username : Kingtutt1964
Computer name : KINGTUTT1964-PC

Version information:
BUILD.DAT : 12.0.0.1125 Bytes 5/2/2012 17:40:00
AVSCAN.EXE : 12.3.0.15 466896 Bytes 5/8/2012 10:24:24
AVSCAN.DLL : 12.3.0.15 54736 Bytes 5/8/2012 10:24:24
LUKE.DLL : 12.3.0.15 68304 Bytes 5/8/2012 10:24:25
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 5/8/2012 10:24:26
AVREG.DLL : 12.3.0.15 230152 Bytes 5/8/2012 10:24:26
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 15:57:15
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 15:57:20
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 10:24:23
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 10:24:23
VBASE005.VDF : 7.11.26.45 2048 Bytes 3/28/2012 10:24:23
VBASE006.VDF : 7.11.26.46 2048 Bytes 3/28/2012 10:24:23
VBASE007.VDF : 7.11.26.47 2048 Bytes 3/28/2012 10:24:23
VBASE008.VDF : 7.11.26.48 2048 Bytes 3/28/2012 10:24:23
VBASE009.VDF : 7.11.26.49 2048 Bytes 3/28/2012 10:24:23
VBASE010.VDF : 7.11.26.50 2048 Bytes 3/28/2012 10:24:23
VBASE011.VDF : 7.11.26.51 2048 Bytes 3/28/2012 10:24:23
VBASE012.VDF : 7.11.26.52 2048 Bytes 3/28/2012 10:24:23
VBASE013.VDF : 7.11.26.53 2048 Bytes 3/28/2012 10:24:23
VBASE014.VDF : 7.11.26.107 221696 Bytes 3/30/2012 10:24:23
VBASE015.VDF : 7.11.26.179 224768 Bytes 4/2/2012 10:24:23
VBASE016.VDF : 7.11.26.241 142336 Bytes 4/4/2012 10:24:23
VBASE017.VDF : 7.11.27.41 247808 Bytes 4/8/2012 10:24:23
VBASE018.VDF : 7.11.27.107 161280 Bytes 4/12/2012 10:24:23
VBASE019.VDF : 7.11.27.159 148992 Bytes 4/13/2012 10:24:23
VBASE020.VDF : 7.11.27.201 207360 Bytes 4/17/2012 10:24:23
VBASE021.VDF : 7.11.28.3 237568 Bytes 4/19/2012 10:24:23
VBASE022.VDF : 7.11.28.49 193536 Bytes 4/20/2012 10:24:23
VBASE023.VDF : 7.11.28.99 195072 Bytes 4/23/2012 10:24:23
VBASE024.VDF : 7.11.28.133 247808 Bytes 4/24/2012 10:24:23
VBASE025.VDF : 7.11.28.183 186880 Bytes 4/26/2012 10:24:23
VBASE026.VDF : 7.11.28.235 166400 Bytes 4/30/2012 10:24:23
VBASE027.VDF : 7.11.29.37 290816 Bytes 5/3/2012 10:24:23
VBASE028.VDF : 7.11.29.75 168448 Bytes 5/7/2012 10:24:23
VBASE029.VDF : 7.11.29.76 2048 Bytes 5/7/2012 10:24:23
VBASE030.VDF : 7.11.29.77 2048 Bytes 5/7/2012 10:24:23
VBASE031.VDF : 7.11.29.98 65024 Bytes 5/8/2012 10:24:23
Engine version : 8.2.10.62
AEVDF.DLL : 8.1.2.2 106868 Bytes 1/31/2012 15:56:42
AESCRIPT.DLL : 8.1.4.18 455034 Bytes 5/8/2012 10:24:24
AESCN.DLL : 8.1.8.2 131444 Bytes 5/8/2012 10:24:24
AESBX.DLL : 8.2.5.5 606579 Bytes 5/8/2012 10:24:24
AERDL.DLL : 8.1.9.15 639348 Bytes 1/31/2012 15:56:42
AEPACK.DLL : 8.2.16.12 807287 Bytes 5/8/2012 10:24:24
AEOFFICE.DLL : 8.1.2.28 201082 Bytes 5/8/2012 10:24:24
AEHEUR.DLL : 8.1.4.23 4702582 Bytes 5/8/2012 10:24:23
AEHELP.DLL : 8.1.20.0 254326 Bytes 5/8/2012 10:24:23
AEGEN.DLL : 8.1.5.28 422260 Bytes 5/8/2012 10:24:23
AEEXP.DLL : 8.1.0.35 82291 Bytes 5/8/2012 10:24:24
AEEMU.DLL : 8.1.3.0 393589 Bytes 1/31/2012 15:56:38
AECORE.DLL : 8.1.25.6 201078 Bytes 5/8/2012 10:24:23
AEBB.DLL : 8.1.1.0 53618 Bytes 1/31/2012 15:56:38
AVWINLL.DLL : 12.3.0.15 27344 Bytes 5/8/2012 10:24:22
AVPREF.DLL : 12.3.0.15 51920 Bytes 5/8/2012 10:24:24
AVREP.DLL : 12.3.0.15 179208 Bytes 5/8/2012 10:24:26
AVARKT.DLL : 12.3.0.15 211408 Bytes 5/8/2012 10:24:24
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 5/8/2012 10:24:24
SQLITE3.DLL : 3.7.0.1 398288 Bytes 5/8/2012 10:24:26
AVSMTP.DLL : 12.3.0.15 63440 Bytes 5/8/2012 10:24:24
NETNT.DLL : 12.3.0.15 17104 Bytes 5/8/2012 10:24:26
RCIMAGE.DLL : 12.3.0.15 4450000 Bytes 5/8/2012 10:24:22
RCTEXT.DLL : 12.3.0.15 96720 Bytes 5/8/2012 10:24:22

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: default
Primary action......................: Repair
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended
Deviating risk categories...........: +APPL,

Start of the scan: Tuesday, May 08, 2012 08:20

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'avscan.exe' - '79' Module(s) have been scanned
Scan process 'avcenter.exe' - '120' Module(s) have been scanned
Scan process 'avgnt.exe' - '77' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '70' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\syswow64\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'jusched.exe' - '58' Module(s) have been scanned
Scan process 'TWebCamera.exe' - '60' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '1676' files ).


Starting the file scan:

Begin scan in 'C:\' <TI105955W0C>
C:\Program Files (x86)\K-Lite Codec Pack\Tools\CodecTweakTool-1.bin
[WARNING] Error multiple volume
C:\Program Files (x86)\K-Lite Codec Pack\Tools\Win7DSFilterTweaker-1.bin
[WARNING] Error multiple volume
C:\Program Files (x86)\TOSHIBA Games\Wheel of Fortune 2\Wheel Of Fortune.dat
[WARNING] Invalid end of file
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] A backup was created as '56e8dc37.qua' ( QUARANTINE )
[WARNING] The file was ignored!
C:\Users\Kingtutt1964\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\21UTER1M\avira_free_antivirus_en.exe
[WARNING] The file is password protected
C:\Users\Kingtutt1964\AppData\Local\Microsoft\Windows Live\Installer\BITA68.tmp
[WARNING] The archive header is damaged
C:\Users\Kingtutt1964\Documents\Documents on Kingtutt1964's T-Mobile_LEO\install_flashplayer10ax_gtbp_chra_aih.exe
[WARNING] The file is password protected
C:\Windows\assembly\GAC_32\Desktop.ini
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] System error [0]: The operation completed successfully.
[WARNING] The file was ignored!
C:\Windows\assembly\GAC_64\Desktop.ini
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] System error [0]: The operation completed successfully.
[WARNING] The file was ignored!
C:\Windows\assembly\temp\U\80000032.@
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] A backup was created as '65d9ee24.qua' ( QUARANTINE )
[WARNING] The file was ignored!
C:\Windows\assembly\temp\U\80000064.@
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] A backup was created as '205dc31a.qua' ( QUARANTINE )
[WARNING] The file was ignored!
C:\Windows\System32\consrv.dll
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] A backup was created as '4088f610.qua' ( QUARANTINE )
[WARNING] The file was ignored!
C:\Windows\System32\samss.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] A backup was created as '0c31da3b.qua' ( QUARANTINE )
[WARNING] The file was ignored!
C:\Windows\System32\Spsmqvsm.dll
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] A backup was created as '70239a7f.qua' ( QUARANTINE )
[WARNING] The file was ignored!


End of the scan: Tuesday, May 08, 2012 09:32
Used time: 1:12:28 Hour(s)

The scan has been done completely.

24992 Scanned directories
339265 Files were scanned
8 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
6 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
339256 Files not concerned
2122 Archives were scanned
15 Warnings
8 Notes
566682 Objects were scanned with rootkit scan
0 Hidden objects were found

Hi AeonFlux,

1) Please run the DDS tool, following these procedures below:

• Download the DDS Tool :: Alternative link and save the file to your Desktop;
  
• Double-click on the DDS.scr icon to start the program and click on the run button to start DDS;
  
• DDS will now display a small black window providing information as to what DDS is doing on your computer;
  
  
• DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two notepad windows named dds.txt and attach.txt;
  
• Save both files to your Desktop and submit the dds.txt and attach.txt to Pastebin.com. Post the URL from dds.txt and attach.txt in your next reply.

How to submit your logs using Pastebin.com:

• Copy all text (CTRL + A) and Paste (CTRL + V) in the form. Follow this procedure for both files:
  
• Please select "1 day" in the Paste Expiration and click on Submit button;
  
• Your log can be detected by spam detection filter from Pastebin.com. Just type the captcha that will appear in your screen.
  
• Wait a few seconds and a screen with your text will appear. Copy and paste the URL of your submission in your next reply.

-----
2) Please download SystemLook and save it to your desktop.

• Double-click SystemLook.exe to run it;
  
• Copy the content of the following quoted box into the main textfield (do NOT copy the word "Quoted")
  

  Quoted

  :filefind
  winsrv.dll
  consrv.dll
  :reg
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /sub

• Click on Look button to start the scan;
  
• When finished, a Notepad window will open with the results of the scan;
  
• Please submit the log to Pastebin.com and please post the URL in your next reply.

Note: The log can also be found on your desktop entitled SystemLook.txt

Marco

DDS



http://pastebin.com/TgQWEtSh
http://pastebin.com/A70d4udK

System Look



http://pastebin.com/CgFfAtEf

Hi AeonFlux,

1) Please download OTM by OldTimer and save it to your desktop;

• Please double-click on OTM to run it. If you are running on Windows Vista/7, right-click on the file and choose Run As Administrator;
  
• Copy the lines into the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy);
  
• Don't include the word "Quoted";

  Quoted

  :Files
  C:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
  C:\windows\system64
  :Commands
  [emptytemp]
  [Reboot]

• Return to OTM, right click under and choose Paste;
  
• Close all other programs or open windows leaving only open the OTM;
  
• Click on ;
  
• Copy everything under to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply;
  
• Click when done to close OTM;
  
• A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log (date/time the tool was run)

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

2) Click Start > Type notepad into the Search box and press enter;

• Copy and paste the text in the quote below in Notepad (do not copy the word Quoted);
  
  

  Quoted

  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
  "Windows"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6D,00,\
  52,00,6F,00,6F,00,74,00,25,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,\
  33,00,32,00,5C,00,63,00,73,00,72,00,73,00,73,00,2E,00,65,00,78,00,65,00,\
  20,00,4F,00,62,00,6A,00,65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,\
  74,00,6F,00,72,00,79,00,3D,00,5C,00,57,00,69,00,6E,00,64,00,6F,00,77,00,\
  73,00,20,00,53,00,68,00,61,00,72,00,65,00,64,00,53,00,65,00,63,00,74,00,\
  69,00,6F,00,6E,00,3D,00,31,00,30,00,32,00,34,00,2C,00,32,00,30,00,34,00,\
  38,00,30,00,2C,00,37,00,36,00,38,00,20,00,57,00,69,00,6E,00,64,00,6F,00,\
  77,00,73,00,3D,00,4F,00,6E,00,20,00,53,00,75,00,62,00,53,00,79,00,73,00,\
  74,00,65,00,6D,00,54,00,79,00,70,00,65,00,3D,00,57,00,69,00,6E,00,64,00,\
  6F,00,77,00,73,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6C,00,\
  6C,00,3D,00,62,00,61,00,73,00,65,00,73,00,72,00,76,00,2C,00,31,00,20,00,\
  53,00,65,00,72,00,76,00,65,00,72,00,44,00,6C,00,6C,00,3D,00,77,00,69,00,\
  6E,00,73,00,72,00,76,00,3A,00,55,00,73,00,65,00,72,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,44,00,6C,00,6C,00,49,00,6E,00,69,00,74,00,69,00,61,00,\
  6C,00,69,00,7A,00,61,00,74,00,69,00,6F,00,6E,00,2C,00,33,00,20,00,53,00,\
  65,00,72,00,76,00,65,00,72,00,44,00,6C,00,6C,00,3D,00,77,00,69,00,6E,00,\
  73,00,72,00,76,00,3A,00,43,00,6F,00,6E,00,53,00,65,00,72,00,76,00,65,00,\
  72,00,44,00,6C,00,6C,00,49,00,6E,00,69,00,74,00,69,00,61,00,6C,00,69,00,\
  7A,00,61,00,74,00,69,00,6F,00,6E,00,2C,00,32,00,20,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,44,00,6C,00,6C,00,3D,00,73,00,78,00,73,00,73,00,72,00,\
  76,00,2C,00,34,00,20,00,50,00,72,00,6F,00,66,00,69,00,6C,00,65,00,43,00,\
  6F,00,6E,00,74,00,72,00,6F,00,6C,00,3D,00,4F,00,66,00,66,00,20,00,4D,00,\
  61,00,78,00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,54,00,68,00,72,00,\
  65,00,61,00,64,00,73,00,3D,00,31,00,36,00,00,00

• Once you've done that, click on File and select Save As...;
  
• In the Save dialogue box click on the drop down menu next to Save as type, select All Files and name the file as fix.reg;
  
• Save the file to your desktop, exit Notepad and right-click on fix.reg, right-click the file and select Merge and then click Yes;
  
• Make sure there are NO blank lines before Windows Registry Editor Version 5.00
  
• Reboot your system, please rerun SystemLook with that same content and post the results to Pastebin again.

----
Marco

I did what you said, and restarted, now Windows won't load or start after OTM!

What am I supposed to do now?